Horrible problem with SAMBA -- Does Karmic work?

[Pete Clapham]

Tom H wrote:
>>>>> I have done a clean install of Karmic on my file server and am tearing my
>>>>> hair out. I'm almost ready to bolt for Red Hat!
>>>>> I have tried numerous times to set up SAMBA so that students can log into
>>>>> the system and access the files they need to access. They can't. The
>>>>> latest error is that the machine account isn't set up. But I can't find
>>>>> where the machine account is. When I upgraded from Jaunty (which worked
>>>>> fine), I got this error and was unable to delete the machine password from
>>>>> the /etc/samba/smbpasswd file to reload it. Now there isn't an
>>>>> /etc/samba/smbpasswd file at all, so the accounts must be stored elsewhere.
>>>>> Any ideas? Students can log in directly to the server or via ssh. The
>>>>> problem is samba, and it appears to be the machine accounts.
>>>>>            
>    
>>>> Thanks to the two who responded to this email. However, this still leaves
>>>> the question open as to whether I need to establish accounts for both users
>>>> and workstations; I assume I do. The TDBs seem to record the users
>>>> correctly, but they do not appear to record the workstations. The way I've
>>>> been doing this is, first, "useradd -M -N -s /bin/false<machinename$>",
>>>> then "passwd -l<machinename$>", then "smbpasswd -a -m<machinename>". I
>>>> get the message that users are added with the final statement (or deleted
>>>> with smbpasswd -x -m<machinename>), but then I get the message that the
>>>> workstation accounts aren't established when I try to log in on them. I
>>>> suspect that the smbpasswd program is trying to write something to
>>>> somewhere, but it's the tbd files that are actually controlling things. Do
>>>> I use pdbedit for this, as I do with the users?
>>>>          
>    
>>> I have only ever used pdbedit for listing users (with -Lw or -Lv) but
>>> it can be used to create, modify, and delete users and groups just
>>> like smbpasswd. It can also create and modifies account policies but I
>>> have not used these functions or even looked into them.
>>>        
>    
>>> Your useradd-passwd-smbpasswd sequence seems correct (I would have
>>> added "-g<gid>" or "-g 65534" rather than "-N" to the passwd
>>> invocation, out of habit rather than out of necessity AFAIK - and I
>>> assume that the missing $ at the end of the smbpasswd invocation is an
>>> email typo).
>>>        
>    
>>> Run
>>> pdbedit -Lv<hostname>$
>>> to make sure that you have "W" on the account flags line
>>> and
>>> to make sure that you have your domain/workgroup on the domain line
>>> (and not your server name)
>>>        
>    
>>> Questions:
>>>        
>    
>>> 1. How do you know that it is the machine accounts that are failing
>>> you? Please check your logs (or possibly increase the log level,
>>> restart samba, try logging on, and check your logs).
>>>        
>    
>>> 2. How is your smb.conf set up? Which security setting have you
>>> chosen? Do you have a netlogon section?
>>>        
>    
>>> 3. Do you really need to have a domain setup with machine accounts
>>> (since you seem to have just one box)?
>>>        
>    
>> Thanks for your input. I've learned a lot more about the problem in the
>> last few days, and every time I think I understand what's going on I
>> find out I don't. Students can log into the server locally and via ssh,
>> and they can access network resources via "net use @:
>> \\servername\share". However, they can't log on using samba -- UNLESS
>> they are working on a workstation on which they were working before I
>> upgraded the server, and it has their Windows profile. Then, they can
>> indeed log into the system under their own name, but the system gives
>> them the error message that it can't find their roming profile and it's
>> logging them on using their local profile. This is very strange
>> behavior; it doesn't fall into anything I've ever seen before.
>>      
>    
>> Anyhow, here's the smb.conf file:
>>      
>    
>> [global]
>> workgroup = ERSL
>> server string = Environmental Remote Sensing Laboratory
>> netbios aliases = earth.sr-02-01.csuohio.edu
>> interfaces = eth1
>> syslog = 0
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> logon drive = X:
>> domain logons = Yes
>> preferred master = Yes
>> domain master = Yes
>> wins support = Yes
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>> template homedir = /home2/%D/%U
>> template shell = /bin/bash
>> admin users = clapham
>>      
>    
>> #[netlogon]
>> #comment = Network Logon Service
>> #path = /home/samba/netlogon
>>      
>    
>> Here's the pdbedit -Lv for one workstation.
>>      
>    
>> Unix username: columbia$
>> Account Flags: [W ]
>> User SID: S-1-5-21-1977151345-229110656-292509728-1066
>> Primary Group SID: S-1-5-21-1977151345-229110656-292509728-513
>> Domain: ERSL
>>      
>    
>> Any help you can provide would be very welcome. As for your questions,
>> I think the first two have been answered. As for the third, I am
>> actually running 5 servers and about 20 workstations. It really does
>> make sense, both for the size of the operation and the nature of what
>> we're doing, to have a PDC.
>>      
> No probs. I was only questioning the use of a PDC because you seemed
> to have just one server judging from your previous posts. My mistaken
> assumption.
>
> "net use @: \\servername\share" means that samba _shares_ are working
> for "servername". So your Samba usernames are being authorised fro
> servername...
>
> Logging on to a local profile is standard behaviour for a Windows
> workstation when it cannot find a DC. (FYI, in Win networks, there is
> a time limit to being able to do so - I have forgotten whether it is a
> set period - three weeks comes to mind - or a function of password
> ageing.)
>
> For a PDC smb.conf, you need your netlogon section to be uncommented
> and with the correct path and "logon path" and "logon home" in the
> global section.
>
> Also, for a PDC, if you haven't done so, you need to add group maps of
> the Domain Administrators and Domain Users Win groups to Linux groups.
>
> Once you make those changes and restart Samba, create a test user, and
> try to log on to the domain.
>
> You might want to cross-post at
> https://lists.samba.org/mailman/listinfo/samba
>
> One more question: Did you re-create the user and machine accounts?
>
>    
Tom --

Thank you for your comments.  I assumed that the netlogon had something 
to do with the problem.  The form in which it was in the smb.conf file 
was what's worked find for the last 3 years in Samba and which stopped 
working when I upgraded to Karmic (hence the post on ubuntu-users).  Did 
Karmic change the default logon path and/or logon home?  (I'm not really 
sure what these are anyhow),  Also I'm not sure what group maps are.  
Can you advise?

Thanks.

BTW, I did recreate the user and machine accounts when I reloaded Karmic.

cheers,
pete